DRAFT. HIPAA Impact Determination Questionnaire (Gap Analysis)

Transcription

1 DRAFT HIPAA Impact Determination Questionnaire (Gap Analysis)

2

3 INSTRUCTIONS The Impact Determination Questionnaire (IDQ) must be completed to identify all areas that must be addressed in order to meet HIPAA Administrative Simplification requirements. Please follow the instructions below: Follow the detailed instructions that appear at the beginning of individual sections or are associated with specific questions. When filling out charts and informational sections, be as detailed and specific as possible (e.g., Microsoft Access rather than PC database ). HIPAA requirements are highlighted with shading in the questions or answer choices; be sure that your organization fully meets the specified requirements before answering YES to any question. Answer every question in every section of the Impact Determination Questionnaire, regardless of the your organization s Covered Entity type. Each individual question or set of questions refers to a HIPAA requirement. Based on answers to the questions presented, you will be asked to indicate whether a exists. A refers to the gap between your current business and technical environment and the HIPAA requirement(s). When a is identified, mark the appropriate box and continue answering the remaining questions. HIPAA Impact Determination Questionnaire Page 1

4 1. Entity Identification Government Entity Name: Component Name: Component Head: HIPAA Coordinator: Date: Type of Entity: (check all that apply) Health Care Provider Health Plan ( Small Health Plan - Receipts < $5 mil.) Health Care Clearinghouse Business Associate / Trading Partner Section: Head of Section: Title: Section Representatives Name: Title: HIPAA Impact Determination Questionnaire Page 2

5 2. Functions Performed by Covered Section Please list every function performed by the Section identified as a Covered Entity or Business Associate/Trading Partner. Provide the requested information for each Section (duplicate this page as needed). Functions Performed by Covered Entity or Business Associate/Trading Partner (List all functions performed by this Section that relate to the Covered Entity or Business Associate/Trading Partner) M/E 1 System(s) Used Local, Agency, State 2 (Indicate M or E) (If electronic, list all automated/electronic systems used to perform this function) (Indicate A, or S) Position Responsible for Function (Indicate point of accountability within the Section for this covered function) 1 2 M = Manual function, E = Electronic (automated) function A = System is maintained by the Agency (i.e., Agency Division of IT), S = System is State-maintained (i.e., by Information Technology Department - ITD) HIPAA Impact Determination Questionnaire Page 3

6 3. Business Associate Inventory A business association occurs when the right to use or disclose the protected health information belongs to the Covered Entity, and another person is using or disclosing the protected health information to perform a function or activity on behalf of the Covered Entity. A Business Associate is a person (or organization), not a member of the workforce of the covered entity, who performs, or assists in the performance of, a function or activity involving the use or disclosure of individually identifiable health information. Examples are: performing claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing functions (often called Trading Partners); or providing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. Your Section may either use the services of a Business Associate or be a Business Associate of a Covered Entity. It is possible to be both a Covered Entity and a Business Associate. Please list all Business Associate relationships below, indicating the organization s name, covered functions performed, whether the functions are performed manually or electronically, the systems used for functions performed electronically, and whether or not a contract is in place. Covered Functions Performed Manual/ Organization Name G/ P 1 Electronic (M or E) Business Associates of Your Section Systems Used Contract (Y or N) Covered Entities for Whom Your Section is a Business Associate 1 G = Government, P = Private HIPAA Impact Determination Questionnaire Page 4

7 4. Privacy Requirements 1. Business Associates 1.a Does your organization have any Business Associates? 1.b Are contracts or memoranda of understanding (MOU) in place with all Business Associates that define their responsibilities for protecting PHI? go to Question 2 1.c If you did not check YES for 1.b, please mark the 2. Individual PHI Access Requests 2.a Does your organization have policies and procedures to handle individuals requests for access to PHI? go to 2.c 2.b Do these policies and procedures include all the following features (check all that apply):! Requests for restriction! Requests for communication of PHI! Grant individual access to PHI! Right to amend individual PHI! Provide accounting of PHI disclosures? (all boxes for 2.b 2.c If you did not check YES for both 2.a and 2.b, please mark the 3. Federal Reporting 3.a Does your organization have access to all appropriate data regarding privacy requirements to comply with future federal reporting requirements? 3.b Does your organization have access to updates on Rules and Regulations regarding privacy requirements to comply with future federal requirements? 3.c If you did not check YES for both 3.a and 3.b, please mark the 4. HIPAA Privacy Training 4.a Does your organization have a training program that instructs all employees in HIPAA privacy requirements? 4.b Does your organization have a plan to provide initial and periodic HIPAA privacy training to all appropriate employees? -- go to 4.c 4.c If you did not check YES for both 4.a and 4.b, please mark the 5. Privacy Violations 5.a Does your organization have policies and procedures developed and implemented for dealing with privacy violations? go to 5.c HIPAA Impact Determination Questionnaire Page 5

8 5.b Do these policies and procedures include all the following features (check all that apply):! Process for handling privacy infractions! Definition of sanctions! Mitigation strategies to counter potential harmful effects resulting from violations? (all boxes for 5.b 5.c If you did not check YES for both 5.a and 5.b, please mark the 6. Policies and Procedures 6.a Does your organization have documented privacy policies and procedures? 6.b Do these policies and procedures include all of the following features (check all that apply):! Formally documented in a manner that demonstrates compliance with privacy requirements! Updated and maintained according to a defined process! Retained for six (6) years? go to 6.c (all boxes for 6.b 6.c If you did not check YES for both 6.a and 6.b, please mark the 7. Notice of Privacy Practices 7.a Is your organization a health care provider? 7.b Does your organization have a Notice of Privacy Practices (Note: except for correctional facilities that treat only inmates)? go to Question 8 go to 7.e 7.c Is this Notice posted and provided to all patients?! N/A correctional institution, go to Question 8 7.d Does this Notice contain all of the following features (check all that apply):! Written in plain language! Provides information regarding uses and disclosures of PHI! Clarifies an individual s privacy rights! Describes the organization s responsibilities under HIPAA! Explains how to file complaints with the organization or with the U.S. Secretary of HHS! Gives the name, title, and phone number of a contact person for more information! Contains the effective date of the Notice? (all boxes for 7.d HIPAA Impact Determination Questionnaire Page 6

9 7.e If you did not check YES for all items 7.b, 7.c and 7.d, please mark the 8. Privacy Official/Complaint Contact 8.a Does your organization have a designated Privacy Official who is responsible for the development and implementation of the organization s privacy policies and procedures? 8.b Does your organization have a designated contact person or office to receive privacy complaints and provide further information about your organization s privacy practices?, same person as Privacy Officer, separate person/office 8.c If you did not check YES for both 8.a and 8.b, please mark the 9. Complaint/Resolution Process 9.a Does your organization have a documented and implemented privacy complaint and resolution process? 9.b Does this process contain all of the following features (check all that apply):! Defines the formal complaint process! Defines the resolution process? go to 9.c (both boxes for 9.b 9.c If you did not check YES for both 9.a and 9.b, please mark the 10. Use and Disclosure of PHI 10.a Does your organization have a consent form that is used to gain consent from an individual to release PHI for treatment, payment, and business operations? 10.b Does your organization have an Authorization form that is used to obtain authorization from an individual to release PHI for purposes other than treatment, payment, and business operations? 10.c Does your organization s Authorization form include all of the following features (check all that apply):! Describes the PHI to be released! Identifies the person making the request! Contains the expiration date of the authorization! Contains a statement of the individual s right to revoke the authorization! Describes the possibility of re-disclosure! Contains areas for signature and date! Permits a description of the signing-authority, if a representative? go to 10.d (all boxes for 10.c HIPAA Impact Determination Questionnaire Page 7

10 10.d If you did not check YES for all items 10.a through 10.c, please mark the HIPAA Impact Determination Questionnaire Page 8

11 5. Security and Electronic Signature Requirements Administrative Procedures -- to guard data integrity, confidentiality, and availability. Documented, formal practices to manage the selection and execution of security measures to protect data, and to manage the conduct of personnel in relation to the protection of data. 1. Certification 1.a Has your organization performed a technical evaluation to establish the extent to which systems and networks meet HIPAA security requirements? 1.b If you did not check YES for 1.b, please mark the 2. Trading Partners 2.a Does your organization have Trading Partners? go to Question 3 2.b Have all Trading Partners been identified and inventoried? 2.c Have Chain of Trust Agreements to protect the integrity and confidentiality of electronically exchanged data been developed and implemented for each Trading Partner? 2.d If you did not check YES for 2.b and 2.c, please mark the 3. Contingency Plan 3.a Does your organization have a comprehensive Contingency Plan that meets HIPAA security and privacy requirements and contains the elements in items 3.a.1-3.a.5 below? 3.a.1 Has your organization performed an applications and data criticality analysis that provides a formal assessment of the sensitivity, vulnerabilities, and security of its programs and the information received, manipulated, stored, and transmitted? 3.a.2 Does your organization have a documented and routinely-updated data backup plan to create and maintain, for a specific period of time, retrievable exact copies of information? 3.a.3 Does your organization have a comprehensive disaster recovery plan (DRP) that contains a process for enabling the organization to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure? 3.a.4 Does your organization have an emergency mode operation plan that contains a process enabling the organization to continue to operate in the event of fire, vandalism, natural disaster, or system failure? HIPAA Impact Determination Questionnaire Page 9

12 3.a.5 Does your organization have a documented process of periodic testing of written contingency plans to discover weaknesses and a subsequent process for revision of the documentation, if needed? 3.b If you did not check YES for 3.a and 3.a.1 through 3.a.5, please mark the 4. Administrative Security Policies 4.a Does your organization have comprehensive administrative security policies and procedures that are documented and implemented to manage the selection and execution of security measures to protect data and manage the conduct of personnel? 4.a.1 4.a.2 4.a.3 Does your organization have documented policies and procedures for the routine and non-routine receipt, manipulation, storage, dissemination, transmission and/or disposal of health information? Does your organization have formal, documented policies and procedures for granting different levels of access to health care information that include all of the following features (check all that apply): Access authorization Information use policies and procedures that establish the rules for granting access (e.g., to a terminal, transaction, program, process, or some other user) Access establishment security policies and rules that determine an entity's initial right of access to a terminal, transaction, program, process, or some other user Access modification security policies and rules that determine the types of, and reasons for, modification to an entity's established right of access to a terminal, transaction, program, process, or some other user? Does your organization maintain an in-house review of the records of system activity (such as logins, file accesses, and security incidents)? (all boxes for 4.a.2 HIPAA Impact Determination Questionnaire Page 10

13 4.a.4 Does your organization have personnel security and management processes, ensuring that all personnel who have access to any sensitive information have the required authorities and all appropriate clearances, that include all of the following features (check all that apply):! Documented formal procedures and instructions for the oversight of maintenance personnel when they are near individuals' health information! Ongoing documentation and review of the levels of access granted to a user, program, or procedure accessing health information! Formal documented policies and procedures for determining the access level to be granted to individuals working on, or near, health information! Measures to determine that an individual's access to sensitive unclassified automated information is admissible! Formal, documentation of procedures to ensure that all personnel who have access to sensitive information have the required authority as well as appropriate clearances! Assurances that system users, including maintenance personnel, receive security awareness training? 4.a.5 Does your organization have security configuration management measures, practices, policies, and procedures for the security of information systems and are these elements coordinated/integrated with each other to create a coherent system of security which includes all of the following features (check all that apply):! Written security plans, rules, procedures, and instructions concerning all components security! Formal, documented procedures for connecting and loading new equipment and programs, periodic review of the maintenance occurring on that equipment and programs, and periodic security testing of the security attributes of that hardware/software! Formal documented inventory of hardware and software assets! Security testing to determine that security features of the systems are implemented as designed and are adequate for a proposed applications environment, including hands-on functional testing, penetration testing, and verification! Virus checking to identify and disable a virus computer program, a code fragment that reproduces itself by attaching to another program, and an embedded code in a program that causes a copy of itself to be inserted in other programs? (all boxes for 4.a.4 (all boxes for 4.a.5 4.a.6 Does your organization have formal documented instructions for reporting security breaches that include all of the following features (check all that apply):! A documented formal mechanism to document incidents.! Documented formal rules or instructions for actions to be taken as a result of the receipt of a security incident report? (both boxes for 4.a.6 HIPAA Impact Determination Questionnaire Page 11

14 4.a.7 Does your organization have a security management process for the creation, administration, and oversight of policies to ensure the prevention, detection, containment, and correction of security breaches involving risk analysis and risk management that includes all of the following features (check all that apply):! Risk analysis -- a process whereby cost-effective security control measures may be selected by balancing the costs of various security/control measures against the losses that would be expected if these measures were not in place! Risk management -- the process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk! Sanction policies and procedures statements of disciplinary actions that are communicated to all employees, agents, and contractors that include notices of civil or criminal penalties for infractions and indicate that violations may result in notification of law enforcement officials and regulatory, accreditation, and licensure organizations! Security policy statements of information values, protection responsibilities, and organization commitment for a security system? (all boxes for 4.a.7 4.a.8 Does your organization have formal documented instructions for employee terminations that include appropriate security measures for ending an internal/external user's access that include formal documented procedures for all of the following features (check all that apply):! Changing locks and combinations, both on a recurring basis and when personnel knowledgeable of combinations no longer have a need to know or require access to the protected facility or system.! Removal from access lists! Removal of user accounts and an individual's access privileges to information, services, and resources! Turning in of keys, tokens, or access cards? (all boxes for 4.a.8 4.a.9 Does your organization have a security training program to educate employees regarding the vulnerabilities of health information and ways to ensure protection of that information, including all of the following features (check all that apply):! Security awareness training for all personnel and management! Periodic security reminders! User education concerning virus protection! User education in importance of monitoring log-in success/failure, how to report discrepancies, and responsibility to ensure security of health care information! Password management? (all boxes for 4.a.9 4.b If you did not check YES for all items 4.a.1 through 4.a.9, please mark the box at the right. HIPAA Impact Determination Questionnaire Page 12

15 Physical Security Safeguards -- to guard data integrity, confidentiality, and availability. Protection of physical computer systems and related buildings and equipment from disasters and unauthorized access. 5. Management of Security Measures 5.a Does your organization have practices for management to manage and supervise the execution and use of security measures to protect data and manage and supervise the conduct of personnel in relation to the protection of data? 5.b Does your organization have media controls in the form of formal, documented policies and procedures that govern the receipt and removal of hardware/software into and out of a facility that include all of the following features (check all that apply):! Access control! Accountability! Data backup! Data storage! Disposal? 5.c Does your organization have formal documented policies and procedures to limit physical access to an entity, while ensuring that properly-authorized access is allowed, that include all of the following features (check all that apply):! Disaster recovery! Emergency mode operation! Equipment control into and out of the site! Facility security plan to safeguard the premises and building from unauthorized physical access and to safeguard the equipment from unauthorized physical access, tampering and theft! Formal documented policies and instructions for validating the access privileges of an entity before granting those privileges! Maintenance records that document repairs and modifications to the physical components of a facility, such as hardware, software, walls, doors, and locks! A security principle stating that a user should have access only to the data needed to perform a particular function! Formal documented procedure governing the reception and hosting of visitors (e.g., sign-in and escort)! Restriction of program testing and revision to formally-authorized personnel? (all boxes for 5.b (all boxes for 5.c 5.d Does your organization have documented work station use instructions and procedures that delineate proper functions to be performed, manner of performance, and physical attributes of the surroundings of a specific computer terminal site or type of site, depending upon the sensitivity of the information accessed from that site? HIPAA Impact Determination Questionnaire Page 13

16 5.e Does your organization have physical safeguards to eliminate or minimize the possibility of unauthorized access to information (e.g., relocating terminals accessing sensitive information to an appropriately restricted area)? 5.f Does your organization have information security awareness training programs that are mandatory for all employees, agents, and contractors, including customized education based on job responsibilities that focuses on issues regarding use of health information and responsibilities regarding confidentiality and security? 5.g If you did not check YES for all items 5.a through 5.f, please mark the Technical Security Services to protect information and control individual access. 6. Access Controls 6.a Does your organization have a system of access control that includes all of the following features (check all that apply):! (1) Procedure for emergency access! (2) At least one of the following:! Context-based access (access control procedure based on the context of a transaction as opposed to the attributes of the initiator or target)! Role-based access! User based access! (3) Optional use of encryption? (Items (1) and (2) checked and at least one subsidiary item under (2) 6.b Does your organization have audit control mechanisms that record and examine system activity? 6.c Does your organization have a mechanism of authorization control to obtain consent for the use and disclosure of health information that includes at least one of the following features (check all that apply):! Role-based access! User-based access? (at least one box for 6.c 6.d Does your organization have data authentication capabilities to corroborate that data has not been altered or destroyed in an unauthorized manner (e.g., use of check sum, double keying, message authentication code, digital signature)? HIPAA Impact Determination Questionnaire Page 14

17 6.e Does your organization have entity authentication capabilities to corroborate than an entity is the one claimed, including all of the following features (check all that apply):! (1) Automatic log-off! (2) Unique user identifier! (3) At least one of the following:! Biometric identification (e.g., hand geometry, retinal scan, iris scan, fingerprint, facial characteristics, DNA sequence characteristics, voice print, hand written signature)! Password! Personal identification number (PIN)! Telephone call back procedure! Token? (Items (1), (2), and (3) checked and at least one subsidiary item under (3) 6.f If you did not check YES for all items 6.a through 6.e, please mark the Technical Security Mechanisms -- to protect and prevent unauthorized access to data transmitted over a communications network. 7. Security Mechanism Standards 7.a Does your organization use communications or network controls? 7.b Do your organization's security standards for technical security mechanisms include both (check all that apply):! (1) Integrity controls to ensure the validity of the information being electronically transmitted/stored! (2) Message authentication to ensure (typically with a message authentication code) that a message received matches the message sent AND one of the following:! (3) Access controls (protection of sensitive communication over open networks so that it cannot be easily intercepted and interpreted by parties other than intended recipient)! (4) Encryption? go to 7.d (Items (1) and (2) checked AND item (3) or (4) HIPAA Impact Determination Questionnaire Page 15

18 7.c Do your organization's security mechanisms include all of the following features (check all that apply):! Alarm (any device that can sense an abnormal condition within the system and provide a signal indicating the presence of the abnormality)! Audit trail (data collected and potentially used to facilitate a security audit)! Entity authentication (mechanism to irrefutably identify authorized users, programs, processes and to deny access to unauthorized users, programs, processes! Event reporting (network message indicating operational irregularities in physical elements of a network or a response to the occurrence of a significant task, typically the completion of a request for information)? (all boxes for 7.c 7.d If you did not check YES for all items 7.a through 7.c, please mark the Electronic Signature - using a set of rules and parameters to verify the identity of the signer and the integrity of the data. 8. Electronic Signature 8.a Does your organization currently use an electronic signature in any of the eight mandated electronic transactions? go to 8.d 8.b Does your organization use a digital signature (an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters so that the identify of the signer and the integrity of the data can be verified)? 8.c Does your organization's digital signature capability have the following features (check all that apply):! Message integrity! Nonrepudiation! User authentication? (all boxes for 8.c 8.d If you did not check YES for all items 8.a through 8.c, please mark the HIPAA Impact Determination Questionnaire Page 16

19 6. Electronic Transaction, Identifier, and Code Set Requirements Systems/Situational Summary by Transaction Type Transaction System(s) I/V/ Maintainer L/A/ C 1 S 2 (Identify system(s) used) In-house (Department or Contractor) or Vendor Name Health Care Claims and Encounters Health Plan Eligibility Referral Certification & Authorization Health Care Claim Status Health Plan Enrollment & Disenrollment Health Care Payment/RA Health Plan Premium Payment Coordination of Benefits (COB) 1 2 I = In-house System, V = Vendor Licensed/Maintained System, C = Commercial Off-the-Shelf (COTS) L = Local (Section) System, A = Agency System, S = State System HIPAA Impact Determination Questionnaire Page 17

20 Please complete one set of answers to sections 6.A and 6.B FOR EACH SYSTEM identified in the Systems/Situational Summary by Transaction Type on the previous page. Provide answers to the questions below regarding your use of electronic health care transactions and identifiers with each system. The HIPAAstandard formats and requirements are highlighted with shading for easy identification. Be sure to mark the box whenever appropriate, as indicated by the instructions. Each marked indicates an area in which your organization must estimate the resources and cost of remediation activities necessary to achieve compliance with the standard. Duplicate this section as needed. System: 6.A. Electronic Transaction Requirements 1. Health Care Claim/Encounter 1.a Does the system create, send, receive, or store retail pharmacy drug claims (i.e., claims or encounter information submitted for the purchase or provision of prescription drugs)? 1.b Indicate the format used for retail pharmacy drug claims/encounters, if known. go to Question 1.d! NCPDP Telecommunication Standard (Implementation Guide), Version 5, Release 1, dated Sept. 1999! NCPDP Batch Standard (Implementation Guide), Version 1, Release 0, dated Feb ! Other NCPDP (specify)! 3270 Dummy Terminal (direct data entry)! Other (specify) developed by (specify) 1.c If you did not check the HIPAA-standard format (highlighted) for 1.b, please mark the 1.d Does the system create, send, receive, or store dental health care claims (i.e., claims or encounter information submitted for the provision of dental health care services)? go to Question 1.g HIPAA Impact Determination Questionnaire Page 18

21 1.e Indicate the format used for dental health care claims/encounters, if known.! ANSI ASC X12N X097! ANSI ASC X12N 837, Version! National Standard Format Version! 3270 Dummy Terminal (direct data entry)! Other (specify) developed by (specify) 1.f If you did not check the HIPAA-standard format (highlighted) for 1.e, please mark the 1.g Does the system create, send, receive, or store professional health care claims (i.e., claims or encounter information submitted for the provision of medical health care services by a doctor, therapist, chiropractor, etc.)? go to Question 1.j 1.h Indicate the format used for professional health care claims/encounters, if known.! ANSI ASC X12N X098! ANSI ASC X12N 837, Version! HCFA-1500! National Standard Format Version! 3270 Dummy Terminal (direct data entry)! Other (specify) developed by (specify) 1.i If you did not check the HIPAA-standard format (highlighted) for 1.h, please mark the 1.j Does the system create, send, receive, or store institutional health care claims (i.e., claims or encounter information submitted for the provision of inpatient health care services by a hospital, nursing facility, etc.)? go to Question 2 HIPAA Impact Determination Questionnaire Page 19